CVE-2017-18869
Privilege Escalation vulnerability in chownr (npm)
What is CVE-2017-18869 About?
This vulnerability in the `chownr` package for Node.js is a Time-of-Check to Time-of-Use (TOCTOU) issue. It allows a local attacker to trick the package into changing ownership of unintended directories via symlink attacks. Exploiting this can lead to privilege escalation.
Affected Software
Technical Details
The chownr package for Node.js (before version 1.1.0) is susceptible to a Time-of-Check to Time-of-Use (TOCTOU) vulnerability. This flaw arises when the package checks file or directory properties (e.g., whether it's a directory) at one point in time, but then acts upon those properties at a later point. During this interval, a local attacker can exploit this race condition by replacing a legitimate target directory with a symbolic link (symlink) pointing to an arbitrary, unintended directory. When chownr then proceeds to recursively change ownership, it will follow the malicious symlink, resulting in the ownership change of a directory outside the intended scope. This can be leveraged for privilege escalation if the chownr operation is performed with elevated privileges.
What is the Impact of CVE-2017-18869?
Successful exploitation may allow attackers to escalate their privileges, gain control over critical system files, or bypass security restrictions through unauthorized ownership changes.
What is the Exploitability of CVE-2017-18869?
Exploiting this TOCTOU vulnerability requires a local attacker to manipulate file system objects (specifically, symbolic links) within a short time window between the chownr package's check and its action. The complexity is moderate due to the race condition aspect. The attacker needs local access to the system and must typically have privileges to create symbolic links. Elevated privileges are not explicitly required for initiating the attack, but the impact and potential for privilege escalation depend on the privileges with which the chownr operation is executed by the legitimate user or process. Special conditions involve the precise timing of the symlink creation and the chownr execution. Systems where untrusted users can execute file operations or system utilities that call chownr are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-18869?
Available Upgrade Options
- chownr
- <1.1.0 → Upgrade to 1.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=1611614
- https://github.com/isaacs/chownr/commit/36a93e3f0a220062c47b237cf6ab6d5f55cd79c9
- https://github.com/isaacs/chownr/issues/14
- https://snyk.io/vuln/npm:chownr:20180731
- https://bugzilla.redhat.com/show_bug.cgi?id=1611614
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863985
- https://github.com/isaacs/chownr/issues/14
- https://osv.dev/vulnerability/GHSA-c6rq-rjc2-86v2
- https://github.com/isaacs/chownr/commit/a631d841022880e5c8d694408a7e96d6d576d0ce
- https://snyk.io/vuln/npm:chownr:20180731
What are Similar Vulnerabilities to CVE-2017-18869?
Similar Vulnerabilities: CVE-2021-3642 , CVE-2020-1941 , CVE-2019-15891 , CVE-2019-6128 , CVE-2016-5683
